ARIN RPKI TAL deployment issues

Mon Oct 15 08:40:13 UTC 2018

From: NANOG <nanog-bounces at nanog.org> on behalf of John Curran <jcurran at arin.net>
Date: Wednesday, 26 September 2018 at 16:51
To: Tony Finch <dot at dotat.at>
Cc: David Wishnick <dwishn at law.upenn.edu>, nanog list <nanog at nanog.org>, "Ben at benjojo.co.uk" <Ben at benjojo.co.uk>, Job Snijders <job at ntt.net>
Subject: Re: ARIN RPKI TAL deployment issues

On 26 Sep 2018, at 11:02 AM, Tony Finch <dot at dotat.at<mailto:dot at dotat.at>> wrote:

John Curran <jcurran at arin.net<mailto:jcurran at arin.net>> wrote:

From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/ca-terms-conditions/>

"CA Terms & Conditions

APNIC’s Certification Authority (CA) services are provided under the
following terms and conditions: ...

• The recipient of any Digital Certificates issued by the APNIC CA
service will indemnify APNIC against any and all claims by third parties
for damages of any kind arising from the use of that certificate.”

That's about certificates, not about trust anchors. It applies to APNIC
members and account holders, not to relying parties.

Tony -

Interesting assertion… while APNIC does issue digital certificates to APNIC customers for identity authentication purposes, it also issues digital certificates for RPKI.

It’s possible that the intent that the term “Digital Certificates” (capitalized) in the CA Terms and Conditions refers to only to those within APNIC’s identity CA, but the argument against that would be APNIC’s online information about "Digital Certificates" -

=== From <https://www.apnic.net/manage-ip/myapnic/digital-certificates/about-cas/>)

What is a Digital Certificate?

Digital Certificates bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information. APNIC uses electronic certificates to prove its own identity, the identity of its Members, and the right-of-use over Internet resources.

APNIC issues regular Public Key Infrastructure (PKI) certificates for access control to APNIC services such as the MyAPNIC Member services website.

In the case of Resource Certification, APNIC issues Resource Public Key Infrastructure (RPKI) certificates that have ‘Certificate Extensions’ added. These Certificate Extensions carry the Internet number resources allocated or assigned to the APNIC Member who is the subject of the Resource Certificate. These Resource Certificates are different to the identity certificates used for Web system access, and may only be used in the context of verifying an entity’s “right-of-use” over an IP address or AS. As a result, APNIC now manages two independent certificate authorities, one for Member services, and the second for Resource Certification.
…
===

Given that APNIC explicitly mentions the RPKI electronic certificates in their explanation of what Digital Certificates are (and further noting that ROA’s do indeed contain within them end-entity resource certificates with keys for verification), APNIC”s overall CA Terms and Conditions, including the referenced indemnification clause, would appear to be applicable to their RPKI CA services.

If the intent was indeed to limit the scope, then then APNIC could have easily used the term “Identity Certificates” in the indemnification clause to make clear its limited scope; i.e. if you’re particularly concerned about liability from the resulting indemnification, it might be best to get this clarified one way or the other from APNIC.

Thanks!
/John

John Curran
President and CEO
ARIN

I asked APNIC about this and they confirmed that making use of their RPKI TAL does not bind you to their CA terms and conditions, so there’s no indemnity requirement.

Edward Dore
Freethought Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181015/8ef5d261/attachment.html>